-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:27                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          XFree86-4.0 port contains local root overflow

Category:       ports
Module:         Xfree86-4
Announced:      2000-07-05
Credits:        Michal Zalewski <lcamtuf@TPI.PL>
Affects:        Ports collection.
Corrected:      2000-06-09
Vendor status:  Vendor eventually released patch
FreeBSD only:   NO

I.   Background

XFree86 4.0 is a development version of the popular XFree86 X Windows
system.

II.  Problem Description

XFree86 4.0 contains a local root vulnerability in the XFree86 server
binary, due to incorrect bounds checking of command-line
arguments.

The server binary is setuid root, in contrast to previous versions
which had a small setuid wrapper which performed (among other things)
argument sanitizing. 

The XFree86-4 port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3400 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release, but it was fixed in
time for FreeBSD 3.5.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Unprivileged local users can obtain root access.

If you have not chosen to install the XFree86-4 port/package, then
your system is not vulnerable to this problem.

IV.  Workaround

Deinstall the XFree86-4 port/package, if you you have installed it, or
limit the execution file permissions on the /usr/X11R6/bin/XFree86
binary so that only members of a trusted group may run the binary.

V.   Solution

At this time, we do not recommend using XFree86 4.0 on multi-user
systems with untrusted users, because of the lack of security in the
server binary. The current "stable" version, XFree86 3.3.6, is also
available in FreeBSD ports.

One of the following:

1) Upgrade your entire ports collection and rebuild the XFree86-4 port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.tar.gz

An updated version of XFree86, version 4.0.1, has just been released,
which is believed to also fix the problems detailed in this advisory,
however the X server is still installed setuid root and so the above
warning against installation on multi-user machines still applies. The
packages will be available at the following locations in the next few
days:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.1.tar.gz

3) download a new port skeleton for the XFree86-4 port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWGrplUuHi5z0oilAQFDjgP9E3l6VG7ic+F0HMDsSDGbsYrIFM3hvBDJ
hu22Vu/F18PyeOVrgZY4ljE/BvdSy4bJMJSDJsrP4jYicse7ArwvSLEJOjoIuPoK
ErUCz34UgNAWs+zszFD0V5xAuWH3Oyii4qamqDnSaurYl6oKp5tPNx2vSrA3UDxM
moK703Mpfak=
=nu3f
-----END PGP SIGNATURE-----
